CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-6278 79 XSS 2019-01-14 2019-01-18
3.5
None Remote Medium Single system None Partial None
XSS exists in JPress v1.0.4 via Markdown input, or Markdown input with the code input option.
2 CVE-2019-6263 79 XSS 2019-01-16 2019-01-19
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.
3 CVE-2019-6262 79 XSS 2019-01-16 2019-01-18
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration helpurl settings allowed stored XSS.
4 CVE-2019-3501 79 XSS 2019-01-02 2019-01-15
3.5
None Remote Medium Single system None Partial None
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile.
5 CVE-2019-2547 284 DoS 2019-01-16 2019-01-18
3.5
None Remote Medium Single system None None Partial
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java VM. CVSS 3.0 Base Score 3.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L).
6 CVE-2019-2503 284 2019-01-16 2019-01-24
3.8
None Local Network Medium Single system Partial None Partial
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H).
7 CVE-2019-2410 284 2019-01-16 2019-01-18
3.6
None Local Low Not required Partial Partial None
Vulnerability in the Oracle Hospitality Cruise Shipboard Property Management System component of Oracle Hospitality Applications (subcomponent: DGS RES Online, FMS Sender, FMS Receiver, OHC WPF Security). The supported version that is affected is 8.0.8. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Hospitality Cruise Shipboard Property Management System executes to compromise Oracle Hospitality Cruise Shipboard Property Management System. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality Cruise Shipboard Property Management System accessible data as well as unauthorized read access to a subset of Oracle Hospitality Cruise Shipboard Property Management System accessible data. CVSS 3.0 Base Score 5.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
8 CVE-2019-2409 284 2019-01-16 2019-01-18
3.3
None Local Medium Not required None Partial Partial
Vulnerability in the Oracle Hospitality Cruise Shipboard Property Management System component of Oracle Hospitality Applications (subcomponent: SPMS Suite). The supported version that is affected is 8.0.8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Hospitality Cruise Shipboard Property Management System executes to compromise Oracle Hospitality Cruise Shipboard Property Management System. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality Cruise Shipboard Property Management System, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality Cruise Shipboard Property Management System as well as unauthorized update, insert or delete access to some of Oracle Hospitality Cruise Shipboard Property Management System accessible data and unauthorized read access to a subset of Oracle Hospitality Cruise Shipboard Property Management System accessible data. CVSS 3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H).
9 CVE-2019-2407 284 2019-01-16 2019-01-18
3.6
None Local Low Not required Partial Partial None
Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Food and Beverage Applications. The supported version that is affected is 9.1.0. Easily exploitable vulnerability allows low privileged attacker having Report privilege with logon to the infrastructure where Oracle Hospitality Reporting and Analytics executes to compromise Oracle Hospitality Reporting and Analytics. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality Reporting and Analytics accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality Reporting and Analytics accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
10 CVE-2019-2397 264 2019-01-16 2019-01-18
3.6
None Local Low Not required Partial Partial None
Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Food and Beverage Applications. The supported version that is affected is 9.1.0. Easily exploitable vulnerability allows low privileged attacker having Report privilege with logon to the infrastructure where Oracle Hospitality Reporting and Analytics executes to compromise Oracle Hospitality Reporting and Analytics. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality Reporting and Analytics accessible data as well as unauthorized read access to a subset of Oracle Hospitality Reporting and Analytics accessible data. CVSS 3.0 Base Score 4.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
11 CVE-2019-0646 79 XSS 2019-01-17 2019-01-22
3.5
None Remote Medium Single system None Partial None
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
12 CVE-2019-0624 20 2019-01-17 2019-01-22
3.5
None Remote Medium Single system None Partial None
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
13 CVE-2019-0558 79 XSS 2019-01-08 2019-01-15
3.5
None Remote Medium Single system None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint Server, Microsoft SharePoint, Microsoft Business Productivity Servers. This CVE ID is unique from CVE-2019-0556, CVE-2019-0557.
14 CVE-2019-0557 79 XSS 2019-01-08 2019-01-15
3.5
None Remote Medium Single system None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0556, CVE-2019-0558.
15 CVE-2019-0556 79 XSS 2019-01-08 2019-01-15
3.5
None Remote Medium Single system None Partial None
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft Office SharePoint XSS Vulnerability." This affects Microsoft SharePoint. This CVE ID is unique from CVE-2019-0557, CVE-2019-0558.
16 CVE-2019-0245 79 XSS 2019-01-08 2019-01-17
3.5
None Remote Medium Single system None Partial None
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
17 CVE-2019-0244 79 XSS 2019-01-08 2019-01-17
3.5
None Remote Medium Single system None Partial None
SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
18 CVE-2019-0027 79 XSS 2019-01-15 2019-01-17
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Snort Rules configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
19 CVE-2019-0026 79 XSS 2019-01-15 2019-01-17
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Zone configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
20 CVE-2019-0025 79 XSS 2019-01-15 2019-01-17
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting (XSS) vulnerability in RADIUS configuration menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
21 CVE-2019-0024 79 XSS 2019-01-15 2019-01-17
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Email Collectors menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
22 CVE-2019-0023 79 XSS 2019-01-15 2019-01-17
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting (XSS) vulnerability in the Golden VM menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
23 CVE-2019-0018 79 XSS 2019-01-15 2019-01-17
3.5
None Remote Medium Single system None Partial None
A persistent cross-site scripting (XSS) vulnerability in the file upload menu of Juniper ATP may allow an authenticated user to inject arbitrary scripts and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.
24 CVE-2018-1999029 79 XSS 2018-08-01 2018-10-01
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins Shelve Project Plugin 1.5 and earlier in ShelveProjectAction/index.jelly, ShelvedProjectsAction/index.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
25 CVE-2018-1999021 79 XSS 2018-07-23 2018-09-19
3.5
None Remote Medium Single system None Partial None
Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. This attack appear to be exploitable via The victim must navigate to the attacker's profile page.
26 CVE-2018-1999008 79 XSS 2018-07-23 2018-09-19
3.5
None Remote Medium Single system None Partial None
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437.
27 CVE-2018-1999007 79 XSS 2018-07-23 2018-09-19
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.
28 CVE-2018-1999005 79 XSS 2018-07-23 2018-09-19
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
29 CVE-2018-1002100 19 2018-06-01 2018-07-03
3.6
None Local Low Not required None Partial Partial
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
30 CVE-2018-1002009 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium Single system None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable.
31 CVE-2018-1002008 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium Single system None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable.
32 CVE-2018-1002007 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium Single system None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST request variable html_id.
33 CVE-2018-1002006 79 XSS 2018-12-03 2018-12-29
3.5
None Remote Medium Single system None Partial None
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes
34 CVE-2018-1002005 79 XSS 2018-12-03 2018-12-28
3.5
None Remote Medium Single system None Partial None
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter.
35 CVE-2018-1002004 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium Single system None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
36 CVE-2018-1002003 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium Single system None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
37 CVE-2018-1002002 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium Single system None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
38 CVE-2018-1002001 79 XSS 2018-12-03 2018-12-27
3.5
None Remote Medium Single system None Partial None
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
39 CVE-2018-1000887 79 XSS 2018-12-28 2019-01-15
3.5
None Remote Medium Single system None Partial None
Peel shopping peel-shopping_9_1_0 version contains a Cross Site Scripting (XSS) vulnerability that can result in an authenticated user injecting java script code in the "Site Name EN" parameter. This attack appears to be exploitable if the malicious user has access to the administration account.
40 CVE-2018-1000870 79 Exec Code XSS 2018-12-20 2019-01-08
3.5
None Remote Medium Single system None Partial None
PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4.
41 CVE-2018-1000856 79 XSS 2018-12-20 2019-01-07
3.5
None Remote Medium Single system None Partial None
DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) vulnerability in Segment Name field in the segments page that can result in Arbitrary script can be executed on all users browsers who visit the affected page. This attack appear to be exploitable via Victim must visit the vulnerable page. This vulnerability appears to have been fixed in No fix yet.
42 CVE-2018-1000847 79 Exec Code XSS 2018-12-20 2019-01-08
3.5
None Remote Medium Single system None Partial None
FreshDNS version 1.0.3 and prior contains a Cross Site Scripting (XSS) vulnerability in Account data form; Zone editor that can result in Execution of attacker's JavaScript code in victim's session. This attack appear to be exploitable via The attacker stores a specially crafted string as their Full Name in their account details. The victim (e.g. the administrator of the FreshDNS instance) opens the User List in the admin interface.. This vulnerability appears to have been fixed in 1.0.5 and later.
43 CVE-2018-1000816 79 XSS 2018-12-20 2019-01-07
3.5
None Remote Medium Single system None Partial None
Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query editor that can result in Running arbitrary js code in victims browser.. This attack appear to be exploitable via Authenticated user must click on the input field where the payload was previously inserted..
44 CVE-2018-1000813 79 XSS 2018-12-20 2019-01-06
3.5
None Remote Medium Single system None Partial None
Backdrop CMS version 1.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Sanitization of custom class names used on blocks and layouts. that can result in Execution of JavaScript from an unexpected source.. This attack appear to be exploitable via A user must be directed to an affected page while logged in.. This vulnerability appears to have been fixed in 1.11.1 and later.
45 CVE-2018-1000604 79 XSS 2018-06-26 2018-08-23
3.5
None Remote Medium Single system None Partial None
A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
46 CVE-2018-1000513 79 Exec Code XSS 2018-06-26 2018-08-21
3.5
None Remote Medium Single system None Partial None
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x.
47 CVE-2018-1000508 79 XSS 2018-06-26 2018-08-20
3.5
None Remote Medium Single system None Partial None
WP ULike version 2.8.1, 3.1 contains a Cross Site Scripting (XSS) vulnerability in Settings screen that can result in allows unauthorised users to do almost anything an admin can. This attack appear to be exploitable via Admin must visit logs page. This vulnerability appears to have been fixed in 3.2.
48 CVE-2018-1000413 79 XSS 2019-01-09 2019-01-15
3.5
None Remote Medium Single system None Partial None
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.
49 CVE-2018-1000219 79 XSS 2018-08-20 2018-10-12
3.5
None Remote Medium Single system None Partial None
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL..
50 CVE-2018-1000218 79 XSS 2018-08-20 2018-10-12
3.5
None Remote Medium Single system None Partial None
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL..
Total number of vulnerabilities : 3652   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.